Chatee ahora con Soporte
Chat con el soporte

Active Roles 7.4.3 - Synchronization Service Administration Guide

Synchronization Service Overview Deploying Synchronization Service Getting started Connections to external data systems
External data systems supported out of the box
Working with Active Directory Working with an AD LDS (ADAM) instance Working with Skype for Business Server Working with Oracle Working with Exchange Server Working with Active Roles Working with One Identity Manager Working with a delimited text file Working with Microsoft SQL Server Working with Micro Focus NetIQ Directory Working with Salesforce Working with ServiceNow Working with Oracle Unified Directory Working with an LDAP directory service Working with IBM DB2 Working with IBM AS/400 Working with an OpenLDAP directory service Working with IBM RACF connector Working with MySQL database Working with an OLE DB-compliant relational database Working with SharePoint Working with Microsoft Office 365 Working with Microsoft Azure Active Directory
Using connectors installed remotely Creating a connection Renaming a connection Deleting a connection Modifying synchronization scope for a connection Using connection handlers Specifying password synchronization settings for a connection
Synchronizing identity data Mapping objects Automated password synchronization Synchronization history Scenarios of use Appendix A: Developing PowerShell scripts for attribute synchronization rules Appendix B: Using a PowerShell script to transform passwords

Step 2: Configure Synhronization Service

Step 2: Configure Synchronization Service

To configure Synchronization Service you installed in Step 1: Install Synchronization Service, you can use one of the following methods:

  • Specify new SQL Server databases for storing the Synchronization Service data.
    With this method, you can select to store the configuration settings and synchronization data either in a single new SQL Server database or in two separate databases.
  • Share existing configuration settings between two or more instances of Synchronization Service.

To configure Synchronization Service from scratch using a new database

  1. Start the Synchronization Service Administration Console.
  2. Follow the steps in the wizard that starts automatically to configure Synchronization Service.
  3. On the Service Account and Mode page, specify the following and click Next:
    • The account under which you want Synchronization Service to run.
    • The mode (local or remote) in which you want to use Synchronization Service. Use the remote mode to work with connectors installed remotely. For more information, see Using connectors installed remotely. If you select the remote mode, click Finish to close the wizard.
  4. Select Create a new configuration and click Next.
  5. On the Database Connection page, specify an SQL Server database and authentication method, and click Next.

    If you want to store the configuration settings and synchronization data in a single SQL Server database, clear the Store sync data in a separate database check box, and then specify the database name.

    If you want to store the configuration settings and synchronization data in two separate databases, select that check box, and then specify the database in which you want to store the synchronization. data.

  1. On the Configuration File page, select the file for storing the created configuration profile, protect the file with a password, and click Finish.

To configure Synchronization Service using an existing database

  1. Start the Synchronization Service Administration Console.
  2. Follow the steps in the wizard that starts automatically to configure Synchronization Service.
  3. On the Service Account and Mode page, specify the following and click Next:
    • The account under which you want Synchronization Service to run.
    • The mode (local or remote) in which you want to use Synchronization Service. Use the remote mode to work with connectors installed remotely. For more information, see Using connectors installed remotely. If you select the remote mode, click Finish to close the wizard.
  4. Select Use an existing configuration and click Next.
  5. On the Configuration File page, select the I have the configuration file check box to provide the configuration file you exported from an existing Synchronization Service instance, enter the password if necessary, and click Next. If you do not have the configuration file, after clicking Next you will need to enter the required settings.
  6. If you provided the configuration file, specify the authentication method for accessing the database. Otherwise, enter the required database name and select the authentication method. Click Finish.

After you configure Synchronization Service, you can change its settings at any time using this Configuration wizard. To start the wizard, start the Administration console and click the gear icon in the upper right corner of the console.

Step 3: Configure Azure Backsync

Step 3: Configure Sync Workflow to back-synchronize Azure AD Objects to Active Roles

Active Roles Configuration to synchronize existing Azure AD objects to Active Roles

In any hybrid environment, on-premises Active Directory objects are synchronized to Azure AD using some means such as Azure AD Connect. When Active Roles 7.4 is deployed in such a hybrid environment, the existing users and groups' information, such as Azure objectID, must be synchronized back from Azure AD to on-premises AD to continue using the functionality. To synchronize existing AD users and groups from Azure AD to Active Roles we must use the back-synchronization operation.

The back-synchronization operation can be perfomed automatically or manually using the Active Roles Active Roles Synchronization Service Console:

  • Automatic Back Synchronization is performed using the Azure Backsync Configuration feature in Active Roles Synchronization Service that allows you to configure the backsync operation in Azure with on-premises Active Directory objects through the Active Roles Synchronization Service Console. After the backsync operation is completed successfully the Azure application registration and the required connections, mappings, and sync workflow steps are created automatically.
  • Manual Back Synchronization is performed by leveraging the existing functionality of Synchronization Service component of Active Roles. Synchronization workflows are configured to identify the Azure AD unique users or groups and map them to the on-premises AD users or groups. After the back-synchronization operation is completed, Active Roles displays the configured Azure attributes for the synchronized objects

Prerequisites to configure the back-synchronization:

  • The hybrid environment must have Azure AD Connect installed and configured.
  • The user account used to perform Back sync configuration must have the following privileges:

    • User Administrator

    • Privileged Role Administrator

    • Exchange Administrator

    • Application Administrator

  • The Windows Azure Active Directory (Azure AD) module version 2.0.0.131 or later must be installed for the backsync feature to work successfully.

  • Directory Writers Role must be enabled in Azure Active Directory. To enable the role use the following script:

    $psCred=Get-Credential

    Connect-AzureAD -Credential $psCred

    $roleTemplate = Get-AzureADDirectoryRoleTemplate | ? { $_.DisplayName -eq "Directory Writers" }

    # Enable an instance of the DirectoryRole template

    Enable-AzureADDirectoryRole -RoleTemplateId $roleTemplate.ObjectId

To configure Azure backsync in Active Roles Synchronization Service

  1. In the upper right corner of the Synchronization Service Administration Console, select Settings | Configure Azure BackSync.

    The Configure BackSync operation in Azure with on-prem Active Directory objects dialog box is displayed.

  2. In the dialog box that opens:

    1. Enter the Azure domain valid Account ID credentials, and click Test Office 365 Connection.

    2. Specify whether you want to use a proxy server for the connection. You can select one of the following options:
    • Use Internet Explorer settings: Causes the connector to automatically detect and use the proxy server settings specified in Microsoft Internet Explorer installed on the Synchronization Service computer.

    • Use WinHTTP settings: Causes the connector to use the proxy server settings configured for Windows HTTP Services (WinHTTP).

    • Automatically detect: Automatically detects and uses proxy server settings.

    • Do not use proxy settings: Specifies to not use proxy server for the connection.

    On successful validation, the success message that the Office 365 Connection settings are valid is displayed.

    1. Enter the valid Active Roles account details and click Test Active Roles Connection.

      On successful validation the success message that the Active Roles connection settings are valid is displayed.

  1. Click Configure BackSync.

    The Azure App registration is done automatically. The required connections, mappings, and workflow steps are created automatically. For more information on the automatically created backsync settings, see Settings updated after Azure backsync configuration operation.

    On successful configuration the success message is displayed.

    If the Azure BackSync settings are already configured in the system, a warning message is displayed to confirm if you want to override the existing backsync settings with the new settings. If yes, click Override BackSync Settings. Else, click Cancel to retain the existing settings.

Configuring Sync Workflow to back-synchronize Azure AD Objects to Active Roles manually

Prerequisites to configure the back-synchronization manually

  • The hybrid environment must have Azure AD Connect installed and configured.
  • Synchronization Service Component must be installed and configured for Active Roles.
  • Azure AD configuration and the Administrator Consent for Azure AD application through web interface must be complete.
  • Azure AD built-in policy must be enforced which automatically sets the attribute edsvaazureOffice365enabled to true for the container where the back-synchronization is performed.

  • For the back-synchronization to work as expected, the user in ARS must have write permissions for edsvaAzureOffice365Enabled, edsaAzureContactObjectId, edsvaAzureObjectID, and edsvaAzureAssociatedTenantId. The user must also have a local administrator privileges where the ARS synchronization service is running.

To configure sync workflow to back-synchronize users and groups perform the following steps

Step 1: Create Connection to Azure AD in the hybrid environment

Create a connection to Azure AD using the Azure AD Connector. The configuration requires the Azure domain name, the Client ID of an application in Azure AD, and the Client Key to establish the connection with Azure AD.

To configure an application:

  1. Create an Azure Web application (or use any relevant existing Azure Web Application) under the tenant of your Windows Azure Active Directory environment.

    The application must have "Application Permissions" to "read" and "write" directory data in Windows Azure Active Directory.

    NOTE: Alternatively, to assign the required permissions to the application by running a Windows PowerShell script, see the Creating a Windows Azure Active Directory connection section in the Synchronization Service Administration Console.

  2. Open the application properties and copy the following:
    1. Client ID
    2. Valid key of the application
  3. You need to supply the copied client ID and key when creating a new or modifying an existing connection to Windows Azure Active Directory in the Synchronization Service Administration Console.

    NOTE: The Web Application that is created or is already available for Sync Service Azure AD Connector, is different from the application that is created while configuring Azure AD using Active Roles Web interface. Both the applications must be available for performing back-sync operations.

Step 2: Create Connection to Active Roles in the hybrid environment

Create a connection to Active Roles using the Active Roles Connector. The configuration requires the local domain details and Active Roles version used. Define the scope to select the container from which the objects for synchronization must be selected.

Step 3: Create Sync Work flow

Create a Sync Workflow using the Azure AD and Active Roles connections. Add a Synchronization step to Update Azure User/Group to Active Roles User/Group.

Set the edsvaAzureAssociatedTenantIdattribute in Active Roles user/group to azure tenant id. If edsvaAzureAssociatedTenantIdattribute is not configured , an error is logged in the event viewer for each object.

Configure the Forward Sync Rule to synchronize the following:

  • Azure ObjectID property of a user/group to the Active Roles user/group edsvaAzureObjectID property.
  • Set the edsvaAzureOffice365Enabled attribute in Active Roles user/group to True.
  • Set edsvaAzureAssociatedTenantId with Azure Tenant ID.

Step 4: Create Mapping

Create a Mapping Rule which identifies the user/group in Azure AD and on-premises AD uniquely and map the specified properties from Azure AD to Active Roles appropriately.

For example, the property userprincipalname can be used to map users between on-premises AD and Azure AD in a federated environment.

NOTE:

  • Based on the environment, make sure to create the correct Mapping rule to identify the user or group uniquely. In-correct mapping rule may create duplicate objects and the back-sync operation may not work as expected.
  • Initial configuration and execution of back-sync operation for Azure AD users ID is a one-time activity.
  • In Federated or Synchronized environments, Azure AD group creation is not  supported. The  group is created in Active Roles and is synchronized eventually  to Azure using Microsoft Native tools, such as AAD Connect. To manage the  Azure AD group through Active Roles, you must perform periodic back- synchronization to on-premise AD.

Settings updated after Azure backsync configuration operation

This section gives descriptions about the Azure App registration, connections, mappings, and workflow steps that are created automatically as a result of the Azure backsync configuration operation.

App registration

The Azure App is created automatically with the default name as ActiveRoles AutocreatedAzureBackSyncApp_V2.

NOTE: After the Azure App is registered in Azure, you must not delete or modify the application. The backsync operation will not work as expected in case you modify or delete the registered Azure App.

Sync Workflows

On the Synchronization Service Administration Console, click Sync Workflows to view the sync workflow named AutoCreated_AzureADBackSyncWorkflow_<tenant name> that is created as a result of the Azure BackSync configuration. The workflow displays the following synchronization update steps from Azure AD to Active Roles for users, groups, and contacts.

  • Step 1: AutoCreated_UpdateFromAzureToARSForBackSyncWorkFlowUser_<tenant> for users.
  • Step 2: AutoCreated_UpdateFromAzureToARSForBackSyncWorkFlowGroup_<tenant> for groups.
  • Step 3: AutoCreated_UpdateFromO365ToARSForBackSyncWorkFlowContact_<tenant> for contacts.

NOTE:

  • Multiple tenants are supported in back-sync. The workflows can be identified using the name of the tenant.
  • The Forward Sync Rules to synchronize the following are automatically configured and displayed in the synchronization update steps for user and group:
    • Azure ObjectID property of a user or group is mapped to the Active Roles user or group edsvaAzureObjectID property.
    • The edsvaAzureOffice365Enabled attribute in Active Roles user or group is set to True.
    • The edsvaAzureAssociatedTenantId attribute in Active Roles user or group is set to Azure Tenant ID.
  • The Forward Sync Rule to synchronize the following are automatically configured and displayed in the synchronization update steps for contacts:

    • Azure ExternalDirectoryObjectID property of a contact is mapped to the Active Roles contact edsaAzureContactObjectId property.

    • The edsvaAzureOffice365Enabled attribute in Active Roles user or group is set to True.

    • The edsvaAzureAssociatedTenantId attribute in Active Roles user or group is set to Azure Tenant ID.
Connections

On the Synchronization Service Administration Console, click Connections to view the connections from Active Roles, Azure AD, and Office 365 to external data systems. The following connections are configured and displayed by default:

  • AutoCreated_ARSConnectorForBackSyncWorkFlow_<tenant>
  • AutoCreated_AzureADConnectorForBackSyncWorkFlow_<tenant>
  • AutoCreated_O365ConnectorForBackSyncWorkFlow_<tenant>

NOTE: Multiple tenants are supported in back-sync. The connection name can be identified using the name of the tenant.

Mapping

On the Synchronization Service Administration Console, click Mapping to view the Mapping rules which identify the users, groups, or contacts in Azure AD and on-premises AD uniquely and map the specified properties from Azure AD to Active Roles appropriately.

On the Mapping tab, click a connection name to view or modify the mapping settings for the corresponding connection. The user, group, and contact mapping pair information is displayed by default as a result of the Azure BackSync configuration. For example, the property userprincipalname can be used to map users between on-premises AD and Azure AD in a federated environment.

NOTE:

  • For more information to manage mapping pairs for the connections see the Mapping Tab section.

  • The mapping rules are created by default. Based on the environment, make sure that the default mapping rules identify the user or group uniquely. Else, make sure to correct the Mapping rule as required. In-correct mapping rules may create duplicate objects and the back-sync operation may not work as expected.

  • Initial configuration and execution of back-sync operation for Azure AD users ID and group ID is a one-time activity. If required, you can re-configure the Azure backsync settings which will override the previously configured backsync settings.

 

 

Upgrade from Quick Connect

Upgrade from Quick Connect and Synchronization Service

If you have synchronization workflows configured and run by Quick Connect (predecessor of Synchronization Service), or earlier versions of Synchronization Service, then you can transfer those synchronization workflows to Active Roles and have them run by Synchronization Service.

You can transfer synchronization workflows from the following Quick Connect or Synchronization Service versions:

  • Quick Connect Sync Engine 5.2.0, 5.3.0, 5.4.0, 5.4.1, 5.5.0, 6.1.0
  • Quick Connect Express for Active Directory 5.3.0, 5.4.0, 5.4.1, 5.5.0, 5.6.0, or 6.1.0
  • Quick Connect for Cloud Services 3.3.0, 3.4.0, 3.5.0, 3.6.0, 3.6.1, 3.6.2, or 3.7.0
  • Quick Connect for Base Systems 2.2.0, 2.3.0, or 2.4.0
  • Synchronization Service 7.0, 7.1, 7.2, 7.3, or 7.4.x
Documentos relacionados